From 17ba5a339c2f417729a1958dc75a6b9b61d7ee83 Mon Sep 17 00:00:00 2001
From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com>
Date: Tue, 26 Sep 2023 10:06:20 -0700
Subject: [PATCH 01/10] Updates to Win11 endpoints (enterprise)
---
.../privacy/manage-windows-11-endpoints.md | 30 ++++++++++++++-----
1 file changed, 22 insertions(+), 8 deletions(-)
diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md
index ae9fabcf1a..0f6f954edc 100644
--- a/windows/privacy/manage-windows-11-endpoints.md
+++ b/windows/privacy/manage-windows-11-endpoints.md
@@ -7,7 +7,7 @@ ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: laurawi
-ms.date: 06/23/2023
+ms.date: 10/02/2023
ms.topic: reference
---
@@ -54,6 +54,7 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net|
|Certificates|||[Learn how to turn off traffic to all of the following endpoint(s) for certificates.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
||Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or isn't trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
If automatic updates are turned off, applications and websites may stop working because they didn't receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. |TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com|
+|||HTTP|ocsp.digicert.com|
|Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s) for Cortana and Live Tiles.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you'll block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*|
|||HTTPS|business.bing.com|
@@ -66,6 +67,12 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec
|||HTTP|dual-s-ring.msedge.net|
|||HTTP|creativecdn.com|
|||HTTP|edgeassetservice.azureedge.net|
+|||HTTP|r.bing.com|
+|||HTTPS|a-ring-fallback.msedge.net|
+|||HTTPS|fp-afd-nocache-ccp.azureedge.net|
+|||TLSv1.2|prod-azurecdn-akamai-iris.azureedge.net|
+|||TLSv1.2|widgetcdn.azureedge.net|
+|||TLSv1.2|widgetservice.azurefd.net|
|Device authentication|||[Learn how to turn off traffic to all of the following endpoint(s) for device authentication.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device won't be authenticated.|HTTPS|login.live.com*|
|Device metadata|||[Learn how to turn off traffic to all of the following endpoint(s) for device metadata.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)|
@@ -89,6 +96,13 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec
|||HTTPS|weathermapdata.blob.core.windows.net|
|Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s) for Microsoft account.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)|
||The following endpoint is used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users can't sign in with Microsoft accounts. |TLSv1.2/HTTPS/HTTP|login.live.com|
+|Microsoft Defender Antivirus|||[Learn how to turn off traffic to all of the following endpoint(s) for Microsoft Defender Antivirus.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)|
+||The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device won't use Cloud-based Protection.|TLSv1.2/HTTPS|wdcp.microsoft.com|
+||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications won't appear.|HTTPS|*smartscreen-prod.microsoft.com|
+|||HTTPS/HTTP|checkappexec.microsoft.com|
+|||TLSv1.2/HTTP|ping-edge.smartscreen.microsoft.com|
+|||HTTP|data-edge.smartscreen.microsoft.com|
+|||TLSv1.2|nav-edge.smartscreen.microsoft.com|
|Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s) for Microsoft Edge.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)|
|||TLSv1.2/HTTP|edge.microsoft.com|
|||TLSv1.2/HTTP|windows.msn.com|
@@ -113,7 +127,7 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec
||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the internet, and the network status tray icon will show a warning.|HTTPS|www.msftconnecttest.com*|
|||HTTP|ipv6.msftconnecttest.com|
|Office|||[Learn how to turn off traffic to all of the following endpoint(s) for Office.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
-||The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.|HTTPS|www.office.com|
+||The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges). You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.|HTTPS|www.office.com|
|||HTTPS|blobs.officehome.msocdn.com|
|||HTTPS|officehomeblobs.blob.core.windows.net|
|||HTTPS|self.events.data.microsoft.com|
@@ -121,6 +135,7 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec
|||HTTP|officeclient.microsoft.com|
|||HTTP|ecs.nel.measure.office.net|
|||HTTPS/HTTP|telecommandstorageprod.blob.core.windows.net|
+|||TLSv1.2|odc.officeapps.live.com|
|OneDrive|||[Learn how to turn off traffic to all of the following endpoint(s) for OneDrive.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive)|
||The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.|TLSv1.2/HTTPS/HTTP|g.live.com|
|||HTTP|onedrive.live.com|
@@ -136,10 +151,7 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec
||The following endpoints are used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
|||HTTP|teams.live.com|
|||TLSv1.2/HTTP|teams.events.data.microsoft.com|
-|Microsoft Defender Antivirus|||[Learn how to turn off traffic to all of the following endpoint(s) for Microsoft Defender Antivirus.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)|
-||The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device won't use Cloud-based Protection.|HTTPS/TLSv1.2|wdcp.microsoft.com|
-||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications won't appear.|HTTPS|*smartscreen-prod.microsoft.com|
-|||HTTPS/HTTP|checkappexec.microsoft.com|
+|||TLSv1.2|statics.teams.cdn.live.net|
|Windows Spotlight|||[Learn how to turn off traffic to all of the following endpoint(s) for Windows Spotlight.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)|
||The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips won't be downloaded. |TLSv1.2/HTTPS/HTTP|arc.msn.com|
|||HTTPS|ris.api.iris.microsoft.com|
@@ -150,6 +162,7 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec
|||HTTP|srtb.msn.com|
|||TLSv1.2/HTTP|www.msn.com|
|||TLSv1.2/HTTP|fd.api.iris.microsoft.com|
+|||TLSv1.2|staticview.msn.com|
|Windows Update|||[Learn how to turn off traffic to all of the following endpoint(s) for Windows Update.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)|
||The following endpoints are used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads won't be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network won't use peer devices for bandwidth reduction.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
|||HTTP|emdl.ws.microsoft.com|
@@ -160,9 +173,10 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec
||The following endpoint is used for compatibility database updates for Windows.|HTTPS|adl.windows.com|
||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint, and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
|Xbox Live|||[Learn how to turn off traffic to all of the following endpoint(s) for Xbox Live.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
-||The following endpoint is used for Xbox Live.|HTTPS|dlassets-ssl.xboxlive.com|
+||The following endpoints are used for Xbox Live.|HTTPS|dlassets-ssl.xboxlive.com|
+|||TLSv1.2|da.xboxservices.com|
## Related links
- [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
-- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
+- [Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
From ff015289d1b54fae317a37d09c5f2f0fb04520de Mon Sep 17 00:00:00 2001
From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com>
Date: Tue, 26 Sep 2023 10:18:48 -0700
Subject: [PATCH 02/10] Fix protocol
---
windows/privacy/manage-windows-11-endpoints.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md
index 0f6f954edc..4a0d826dfa 100644
--- a/windows/privacy/manage-windows-11-endpoints.md
+++ b/windows/privacy/manage-windows-11-endpoints.md
@@ -151,7 +151,7 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec
||The following endpoints are used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
|||HTTP|teams.live.com|
|||TLSv1.2/HTTP|teams.events.data.microsoft.com|
-|||TLSv1.2|statics.teams.cdn.live.net|
+|||HTTP|statics.teams.cdn.live.net|
|Windows Spotlight|||[Learn how to turn off traffic to all of the following endpoint(s) for Windows Spotlight.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)|
||The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips won't be downloaded. |TLSv1.2/HTTPS/HTTP|arc.msn.com|
|||HTTPS|ris.api.iris.microsoft.com|
From 5f9c49204cac04c88f968dba0e18bf032dcc69be Mon Sep 17 00:00:00 2001
From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com>
Date: Thu, 5 Oct 2023 15:21:39 -0700
Subject: [PATCH 03/10] Add more endpoints
---
windows/privacy/manage-windows-11-endpoints.md | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md
index 4a0d826dfa..904fc1d8e9 100644
--- a/windows/privacy/manage-windows-11-endpoints.md
+++ b/windows/privacy/manage-windows-11-endpoints.md
@@ -7,7 +7,7 @@ ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: laurawi
-ms.date: 10/02/2023
+ms.date: 10/06/2023
ms.topic: reference
---
@@ -78,6 +78,9 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec
|Device metadata|||[Learn how to turn off traffic to all of the following endpoint(s) for device metadata.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)|
||The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata won't be updated for the device.|HTTP|dmd.metaservices.microsoft.com|
|Diagnostic Data| ||[Learn how to turn off traffic to all of the following endpoint(s) for diagnostic data.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
+|||TLSv1.2|functional.events.data.microsoft.com|
+|||HTTP|browser.events.data.msn.com|
+|||TLSv1.2/HTTP|www.microsoft.com|
||The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, won't be sent back to Microsoft.|TLSv1.2/HTTP|self.events.data.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|v10.events.data.microsoft.com|
||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information won't be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com|
@@ -164,6 +167,7 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec
|||TLSv1.2/HTTP|fd.api.iris.microsoft.com|
|||TLSv1.2|staticview.msn.com|
|Windows Update|||[Learn how to turn off traffic to all of the following endpoint(s) for Windows Update.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)|
+|||TLSv1.2|definitionupdates.microsoft.com|
||The following endpoints are used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads won't be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network won't use peer devices for bandwidth reduction.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
|||HTTP|emdl.ws.microsoft.com|
||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device won't be able to download updates for the operating system.|TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
From 8007e34104d6039ccb6ed08a8b14bca69da15660 Mon Sep 17 00:00:00 2001
From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com>
Date: Thu, 5 Oct 2023 16:28:05 -0700
Subject: [PATCH 04/10] Updates to Windows 11 Pro table
---
...ws-11-endpoints-non-enterprise-editions.md | 103 ++++++++++++++----
1 file changed, 82 insertions(+), 21 deletions(-)
diff --git a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
index 35536d7efd..721a66781f 100644
--- a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
+++ b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
@@ -7,7 +7,7 @@ ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: laurawi
-ms.date: 12/17/2020
+ms.date: 10/05/2023
ms.topic: reference
---
# Windows 11 connection endpoints for non-Enterprise editions
@@ -21,11 +21,11 @@ In addition to the endpoints listed for [Windows 11 Enterprise](manage-windows-1
The following methodology was used to derive the network endpoints:
1. Set up the latest version of Windows 11 on a test virtual machine using the default settings.
-2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
+2. Leave the device(s) running idle for a week ("idle" means a user isn't interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
-5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
-6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
+5. The test virtual machine(s) was logged into using a local account, and wasn't joined to a domain or Microsoft Entra ID.
+6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here.
7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
8. These tests were conducted for one week. If you capture traffic for longer, you may have different results.
@@ -49,7 +49,7 @@ The following methodology was used to derive the network endpoints:
|Device authentication|The following endpoint is used to authenticate a device.|HTTPS|login.live.com*|
|Device Directory Service|Used by Device Directory Service to keep track of user-device associations and storing metadata about the devices.|HTTPS/HTTP|cs.dds.microsoft.com|
|Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com|
-|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|TLSv1.2/HTTP|v10.events.data.microsoft.com|
+|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, won't be sent back to Microsoft.|TLSv1.2/HTTP|v10.events.data.microsoft.com|
||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com|
|Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*|
|Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com|
@@ -62,7 +62,7 @@ The following methodology was used to derive the network endpoints:
|||HTTPS/HTTP|ecn.dev.virtualearth.net|
|||HTTPS/HTTP|ssl.bing.com|
|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in|TLSv1.2/HTTPS/HTTP|*login.live.com|
-|Microsoft Edge| This network traffic is related to the Microsoft Edge browser. The Microsoft Edge browser requires these endpoint to contact external websites.|HTTPS/HTTP|edge.activity.windows.com edge.microsoft.com|
+|Microsoft Edge| This network traffic is related to the Microsoft Edge browser. The Microsoft Edge browser requires these endpoints to contact external websites.|HTTPS/HTTP|edge.activity.windows.com edge.microsoft.com|
|Microsoft Edge|The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates.|HTTPS/HTTP|msedge.api.cdp.microsoft.com|
|Microsoft Store|The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net|
||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com|
@@ -119,53 +119,114 @@ The following methodology was used to derive the network endpoints:
| **Area** | **Description** | **Protocol** | **Destination** |
| --- | --- | --- | ---|
| Activity Feed Service |The following endpoints are used by Activity Feed Service, which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com|
+|||HTTP|assets.activity.windows.com|
|Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com|
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net|
||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net|
||Used for Spotify Live Tile|HTTPS/HTTP|spclient.wg.spotify.com|
|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*|
+|||HTTP|ocsp.digicert.com|
|Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*|
+|||HTTPS|business.bing.com|
+|||HTTP|c.bing.com|
+|||HTTP|edgeassetservice.azureedge.net|
+|||HTTP|fp.msedge.net|
+|||HTTP|fp-vs.azureedge.net|
+|||TLSv1.2|ln-ring.msedge.net|
+|||TLSv1.2|prod-azurecdn-akamai-iris.azureedge.net|
+|||HTTP|r.bing.com|
+|||TLSv1.2/HTTP|s-ring.msedge.net|
+|||HTTP|t-ring.msedge.net|
+|||HTTP|t-ring-fdv2.msedge.net|
+|||TLSv1.2|tse1.mm.bing.net|
+|||TLSv1.2|widgetcdn.azureedge.net|
+|||TLSv1.2|widgetservice.azurefd.net|
|Device authentication|The following endpoint is used to authenticate a device.|HTTPS|login.live.com*|
|Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com|
-|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. |TLSv1.2/HTTP|v10.events.data.microsoft.com|
+|Diagnostic data||HTTP|browser.events.data.msn.com|
+|||TLSv1.2|functional.events.data.microsoft.com|
+|||TLSv1.2/HTTP|www.microsoft.com|
+||The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, won't be sent back to Microsoft. |TLSv1.2/HTTP|v10.events.data.microsoft.com|
+|||TLSv1.2/HTTP|self.events.data.microsoft.com|
||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com|
+|||TLSv1.2/HTTP|watson.events.data.microsoft.com|
|Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*|
-|Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com|
+|Licensing|The following endpoint is used for online activation and some app licensing.|TLSv1.2/HTTPS/HTTP|*licensing.mp.microsoft.com|
+|Location|The following endpoint is used for location data. If you turn off traffic for this endpoint, apps can't use location data.|TLSv1.2|inference.location.live.net|
|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTPS/HTTP|maps.windows.com|
+|||HTTP|ecn-us.dev.virtualearth.net|
|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in. |TLSv1.2/HTTPS/HTTP|*login.live.com|
|Microsoft Edge|The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates. |HTTPS/HTTP|msedge.api.cdp.microsoft.com|
+|||TLSv1.2/HTTP|edge.microsoft.com|
+|||HTTP|edge.nelreports.net|
+|||TLSv1.2/HTTP|windows.msn.com|
|Microsoft Store|The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net|
+|||HTTP|img-s-msn-com.akamaized.net|
||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com|
||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com|
|||HTTPS|storesdk.dsx.mp.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
+||The following endpoints are needed to load the content in the Microsoft Store app.|HTTP|storeedgefd.dsx.mp.microsoft.com|
+|Microsoft To Do|The following endpoints are used for the Microsoft To Do app.|HTTP|staging.to-do.officeppe.com|
+|||HTTP|staging.to-do.microsoft.com|
+|||TLSv1.2/HTTP|to-do.microsoft.com|
|Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*|
-|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|outlook.office365.com|
+|||HTTP|ipv6.msftconnecttest.com|
+|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS|blobs.officehome.msocdn.com|
+|||TLSv1.2/HTTP/HTTPS|*.blob.core.windows.net|
+|||TLSv1.2/HTTP|ecs.nel.measure.office.net|
+|||TLSv1.2/HTTP|ocws.officeapps.live.com|
+|||TLSv1.2/HTTP|odc.officeapps.live.com|
|||TLSv1.2/HTTPS|office.com|
-|||TLSv1.2/HTTPS|blobs.officehome.msocdn.com|
-|||HTTPS/HTTP|officehomeblobs.blob.core.windows.net|
-|||HTTP/HTTPS|*.blob.core.windows.net|
-|||TLSv1.2|self.events.data.microsoft.com|
-|||HTTPS/HTTP|outlookmobile-office365-tas.msedge.net|
|||TLSv1.2/HTTPS/HTTP|officeclient.microsoft.com|
+|||HTTPS/HTTP|officehomeblobs.blob.core.windows.net|
+|||TLSv1.2/HTTPS/HTTP|outlook.office365.com|
+|||HTTPS/HTTP|outlookmobile-office365-tas.msedge.net|
+|||HTTP|roaming.officeapps.live.com|
+|||TLSv1.2|self.events.data.microsoft.com|
|||HTTPS/HTTP|substrate.office.com|
-|OneDrive|The following endpoints are related to OneDrive.|HTTPS|g.live.com|
-|||TLSv1.2/HTTPS|oneclient.sfx.ms|
+|||HTTP|tfl.nel.measure.office.net|
+|OneDrive|The following endpoints are related to OneDrive.|HTTP|ams03pap005.storage.live.com|
+|||HTTP|api.onedrive.com|
+|||HTTPS|g.live.com|
|||HTTPS/TLSv1.2|logincdn.msauth.net|
-|||HTTPS/HTTP|windows.policies.live.net|
-|||HTTPS/HTTP|*storage.live.com|
+|||TLSv1.2/HTTPS|oneclient.sfx.ms|
+|||HTTP|onedrive.live.com|
+|||HTTP|sat02pap005.storage.live.com|
|||HTTPS/HTTP|*settings.live.net|
+|||HTTP|skyapi.live.net|
+|||HTTP|skydrivesync.policies.live.net|
+|||HTTPS/HTTP|*storage.live.com|
+|||HTTPS/HTTP|windows.policies.live.net|
|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.|TLSv1.2/HTTPS/HTTP|settings.data.microsoft.com*|
|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com*|
|Skype|The following endpoint is used to retrieve Skype configuration values.|TLSv1.2/HTTPS/HTTP|*.pipe.aria.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com|
+|||HTTP|edge.skype.com|
+|||HTTP|experimental-api.asm.skype.com|
+|||HTTP|trouter-azsc-ukwe-0-b.trouter.skype.com|
+|||HTTP|us-api.asm.skype.com|
|Teams|The following endpoint is used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
-|Microsoft Defender Antivirus|The following endpoints are used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.comwdcpalt.microsoft.com|
+|||TLSv1.2/HTTP|teams.events.data.microsoft.com|
+|||HTTP|teams.live.com|
+|||HTTP|statics.teams.cdn.live.net|
+|||HTTP|statics.teams.cdn.office.net|
+|Microsoft Defender Antivirus|The following endpoints are used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com|
+|||TLSv1.2/HTTPS|wdcpalt.microsoft.com|
|||HTTPS/HTTP|*.smartscreen-prod.microsoft.com|
||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*.smartscreen.microsoft.com|
|||TLSv1.2/HTTP|checkappexec.microsoft.com|
-|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.|TLSv1.2/HTTPS/HTTP|arc.msn.com*ris.api.iris.microsoft.com|
+|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.|TLSv1.2/HTTP|api.msn.com|
+|||TLSv1.2/HTTPS/HTTP|arc.msn.com|
+|||TLSv1.2/HTTP|assets.msn.com|
+|||HTTP|c.msn.com|
+|||TLSv1.2/HTTP|fd.api.iris.microsoft.com|
+|||HTTP|ntp.msn.com|
+|||TLSv1.2/HTTPS/HTTP|ris.api.iris.microsoft.com|
+|||HTTP|srtb.msn.com|
+|||TLSv1.2/HTTP|www.msn.com|
+|Windows Update||TLSv1.2|definitionupdates.microsoft.com|
|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
|||TLSv1.2/HTTP|emdl.ws.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
@@ -195,7 +256,7 @@ The following methodology was used to derive the network endpoints:
|||TLSv1.2|odinvzc.azureedge.net|
|||TLSv1.2|b-ring.msedge.net|
|Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com|
-|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|TLSv1.2/HTTP|v10.events.data.microsoft.com|
+|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, won't be sent back to Microsoft.|TLSv1.2/HTTP|v10.events.data.microsoft.com|
||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com|
|Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*|
|Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com|
From 4d9837265ddbda861c61abe5376d6469e2b86dee Mon Sep 17 00:00:00 2001
From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com>
Date: Thu, 5 Oct 2023 16:31:44 -0700
Subject: [PATCH 05/10] Update reference to AAD
---
windows/privacy/manage-windows-11-endpoints.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md
index 904fc1d8e9..a56f1423b3 100644
--- a/windows/privacy/manage-windows-11-endpoints.md
+++ b/windows/privacy/manage-windows-11-endpoints.md
@@ -34,7 +34,7 @@ The following methodology was used to derive these network endpoints:
2. Leave the device(s) running idle for a week ("idle" means a user isn't interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
-5. The test virtual machine(s) was logged into using a local account, and wasn't joined to a domain or Azure Active Directory.
+5. The test virtual machine(s) was logged into using a local account, and wasn't joined to a domain or Microsoft Entra ID.
6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here.
7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
From b8959dd5983523569028cbf7b6b764858e7d7dc2 Mon Sep 17 00:00:00 2001
From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com>
Date: Thu, 5 Oct 2023 17:17:37 -0700
Subject: [PATCH 06/10] Various fixes
---
...ws-11-endpoints-non-enterprise-editions.md | 24 +++++++++----------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
index 721a66781f..c0911c2997 100644
--- a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
+++ b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
@@ -76,7 +76,7 @@ The following methodology was used to derive the network endpoints:
|||TLSv1.2/HTTPS|office.com|
|||TLSv1.2/HTTPS|blobs.officehome.msocdn.com|
|||HTTPS/HTTP|officehomeblobs.blob.core.windows.net|
-|||HTTP/HTTPS|*.blob.core.windows.net|
+|||HTTPS/HTTP|*.blob.core.windows.net|
|||TLSv1.2|self.events.data.microsoft.com|
|||HTTPS/HTTP|outlookmobile-office365-tas.msedge.net|
|||HTTP|roaming.officeapps.live.com|
@@ -107,7 +107,7 @@ The following methodology was used to derive the network endpoints:
||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.|TLSv1.2/HTTP|*.windowsupdate.com|
|||TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
-||The following endpoint is used for compatibility database updates for Windows.|HTTP/HTTPS|adl.windows.com|
+||The following endpoint is used for compatibility database updates for Windows.|HTTPS/HTTP|adl.windows.com|
||The following endpoint is used for content regulation.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
|Xbox Live|The following endpoints are used for Xbox Live.|TLSv1.2/HTTPS/HTTP|dlassets-ssl.xboxlive.com|
|||TLSv1.2/HTTPS|da.xboxservices.com|
@@ -156,6 +156,11 @@ The following methodology was used to derive the network endpoints:
|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTPS/HTTP|maps.windows.com|
|||HTTP|ecn-us.dev.virtualearth.net|
|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in. |TLSv1.2/HTTPS/HTTP|*login.live.com|
+|Microsoft Defender Antivirus|The following endpoints are used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com|
+|||TLSv1.2/HTTPS|wdcpalt.microsoft.com|
+|||HTTPS/HTTP|*.smartscreen-prod.microsoft.com|
+||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*.smartscreen.microsoft.com|
+|||TLSv1.2/HTTP|checkappexec.microsoft.com|
|Microsoft Edge|The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates. |HTTPS/HTTP|msedge.api.cdp.microsoft.com|
|||TLSv1.2/HTTP|edge.microsoft.com|
|||HTTP|edge.nelreports.net|
@@ -167,14 +172,14 @@ The following methodology was used to derive the network endpoints:
||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com|
|||HTTPS|storesdk.dsx.mp.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
-||The following endpoints are needed to load the content in the Microsoft Store app.|HTTP|storeedgefd.dsx.mp.microsoft.com|
+||The following endpoint is needed to load the content in the Microsoft Store app.|HTTP|storeedgefd.dsx.mp.microsoft.com|
|Microsoft To Do|The following endpoints are used for the Microsoft To Do app.|HTTP|staging.to-do.officeppe.com|
|||HTTP|staging.to-do.microsoft.com|
|||TLSv1.2/HTTP|to-do.microsoft.com|
|Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*|
|||HTTP|ipv6.msftconnecttest.com|
|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS|blobs.officehome.msocdn.com|
-|||TLSv1.2/HTTP/HTTPS|*.blob.core.windows.net|
+|||TLSv1.2/HTTPS/HTTP|*.blob.core.windows.net|
|||TLSv1.2/HTTP|ecs.nel.measure.office.net|
|||TLSv1.2/HTTP|ocws.officeapps.live.com|
|||TLSv1.2/HTTP|odc.officeapps.live.com|
@@ -212,11 +217,6 @@ The following methodology was used to derive the network endpoints:
|||HTTP|teams.live.com|
|||HTTP|statics.teams.cdn.live.net|
|||HTTP|statics.teams.cdn.office.net|
-|Microsoft Defender Antivirus|The following endpoints are used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com|
-|||TLSv1.2/HTTPS|wdcpalt.microsoft.com|
-|||HTTPS/HTTP|*.smartscreen-prod.microsoft.com|
-||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*.smartscreen.microsoft.com|
-|||TLSv1.2/HTTP|checkappexec.microsoft.com|
|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.|TLSv1.2/HTTP|api.msn.com|
|||TLSv1.2/HTTPS/HTTP|arc.msn.com|
|||TLSv1.2/HTTP|assets.msn.com|
@@ -227,13 +227,13 @@ The following methodology was used to derive the network endpoints:
|||HTTP|srtb.msn.com|
|||TLSv1.2/HTTP|www.msn.com|
|Windows Update||TLSv1.2|definitionupdates.microsoft.com|
-|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
+||The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
|||TLSv1.2/HTTP|emdl.ws.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.|TLSv1.2/HTTP|*.windowsupdate.com|
|||TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
-||The following endpoint is used for compatibility database updates for Windows.|HTTP/HTTPS|adl.windows.com|
+||The following endpoint is used for compatibility database updates for Windows.|HTTPS/HTTP|adl.windows.com|
||The following endpoint is used for content regulation.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
|Xbox Live|The following endpoints are used for Xbox Live.|TLSv1.2/HTTPS/HTTP|dlassets-ssl.xboxlive.com|
|||TLSv1.2/HTTPS|da.xboxservices.com|
@@ -294,7 +294,7 @@ The following methodology was used to derive the network endpoints:
||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.|TLSv1.2/HTTP|*.windowsupdate.com|
|||TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
-||The following endpoint is used for compatibility database updates for Windows.|HTTP/HTTPS|adl.windows.com|
+||The following endpoint is used for compatibility database updates for Windows.|HTTPS/HTTP|adl.windows.com|
||The following endpoint is used for content regulation.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
|Xbox Live|The following endpoints are used for Xbox Live.|TLSv1.2/HTTPS/HTTP|dlassets-ssl.xboxlive.com|
|||TLSv1.2/HTTPS|da.xboxservices.com|
From 887733f62268959353bc567e34b30dcca12cf71a Mon Sep 17 00:00:00 2001
From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com>
Date: Thu, 5 Oct 2023 17:17:56 -0700
Subject: [PATCH 07/10] Update ms.date
---
windows/privacy/windows-11-endpoints-non-enterprise-editions.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
index c0911c2997..83e52054be 100644
--- a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
+++ b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
@@ -7,7 +7,7 @@ ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: laurawi
-ms.date: 10/05/2023
+ms.date: 10/06/2023
ms.topic: reference
---
# Windows 11 connection endpoints for non-Enterprise editions
From 1e26596ab3d88be156e54e6c4139fbbeb74e5101 Mon Sep 17 00:00:00 2001
From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com>
Date: Thu, 5 Oct 2023 17:27:01 -0700
Subject: [PATCH 08/10] Fix is/are issues
---
...ws-11-endpoints-non-enterprise-editions.md | 28 +++++++++----------
1 file changed, 14 insertions(+), 14 deletions(-)
diff --git a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
index 83e52054be..c6aa96d54d 100644
--- a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
+++ b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
@@ -120,11 +120,11 @@ The following methodology was used to derive the network endpoints:
| --- | --- | --- | ---|
| Activity Feed Service |The following endpoints are used by Activity Feed Service, which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com|
|||HTTP|assets.activity.windows.com|
-|Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com|
+|Apps|The following endpoint is used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com|
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net|
||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net|
-||Used for Spotify Live Tile|HTTPS/HTTP|spclient.wg.spotify.com|
-|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*|
+||The following endpoint is used for Spotify Live Tile.|HTTPS/HTTP|spclient.wg.spotify.com|
+|Certificates|The following endpoints are used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*|
|||HTTP|ocsp.digicert.com|
|Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*|
|||HTTPS|business.bing.com|
@@ -150,22 +150,22 @@ The following methodology was used to derive the network endpoints:
|||TLSv1.2/HTTP|self.events.data.microsoft.com|
||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com|
|||TLSv1.2/HTTP|watson.events.data.microsoft.com|
-|Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*|
+|Font Streaming|The following endpoints is used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*|
|Licensing|The following endpoint is used for online activation and some app licensing.|TLSv1.2/HTTPS/HTTP|*licensing.mp.microsoft.com|
|Location|The following endpoint is used for location data. If you turn off traffic for this endpoint, apps can't use location data.|TLSv1.2|inference.location.live.net|
|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTPS/HTTP|maps.windows.com|
|||HTTP|ecn-us.dev.virtualearth.net|
-|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in. |TLSv1.2/HTTPS/HTTP|*login.live.com|
+|Microsoft Account|The following endpoint is used for Microsoft accounts to sign in. |TLSv1.2/HTTPS/HTTP|*login.live.com|
|Microsoft Defender Antivirus|The following endpoints are used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com|
|||TLSv1.2/HTTPS|wdcpalt.microsoft.com|
-|||HTTPS/HTTP|*.smartscreen-prod.microsoft.com|
-||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*.smartscreen.microsoft.com|
+||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|HTTPS/HTTP|*.smartscreen-prod.microsoft.com|
+|||TLSv1.2|*.smartscreen.microsoft.com|
|||TLSv1.2/HTTP|checkappexec.microsoft.com|
-|Microsoft Edge|The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates. |HTTPS/HTTP|msedge.api.cdp.microsoft.com|
+|Microsoft Edge|The following endpoints are used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates. |HTTPS/HTTP|msedge.api.cdp.microsoft.com|
|||TLSv1.2/HTTP|edge.microsoft.com|
|||HTTP|edge.nelreports.net|
|||TLSv1.2/HTTP|windows.msn.com|
-|Microsoft Store|The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net|
+|Microsoft Store|The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net|
|||HTTP|img-s-msn-com.akamaized.net|
||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com|
||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
@@ -204,15 +204,15 @@ The following methodology was used to derive the network endpoints:
|||HTTP|skydrivesync.policies.live.net|
|||HTTPS/HTTP|*storage.live.com|
|||HTTPS/HTTP|windows.policies.live.net|
-|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.|TLSv1.2/HTTPS/HTTP|settings.data.microsoft.com*|
+|Settings|The following endpoints are used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.|TLSv1.2/HTTPS/HTTP|settings.data.microsoft.com*|
|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com*|
-|Skype|The following endpoint is used to retrieve Skype configuration values.|TLSv1.2/HTTPS/HTTP|*.pipe.aria.microsoft.com|
+|Skype|The following endpoints are used to retrieve Skype configuration values.|TLSv1.2/HTTPS/HTTP|*.pipe.aria.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com|
|||HTTP|edge.skype.com|
|||HTTP|experimental-api.asm.skype.com|
|||HTTP|trouter-azsc-ukwe-0-b.trouter.skype.com|
|||HTTP|us-api.asm.skype.com|
-|Teams|The following endpoint is used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
+|Teams|The following endpoints are used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
|||TLSv1.2/HTTP|teams.events.data.microsoft.com|
|||HTTP|teams.live.com|
|||HTTP|statics.teams.cdn.live.net|
@@ -227,12 +227,12 @@ The following methodology was used to derive the network endpoints:
|||HTTP|srtb.msn.com|
|||TLSv1.2/HTTP|www.msn.com|
|Windows Update||TLSv1.2|definitionupdates.microsoft.com|
-||The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
+||The following endpoints are used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
|||TLSv1.2/HTTP|emdl.ws.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.|TLSv1.2/HTTP|*.windowsupdate.com|
|||TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
-||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
+||The following endpoint enables connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
||The following endpoint is used for compatibility database updates for Windows.|HTTPS/HTTP|adl.windows.com|
||The following endpoint is used for content regulation.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
|Xbox Live|The following endpoints are used for Xbox Live.|TLSv1.2/HTTPS/HTTP|dlassets-ssl.xboxlive.com|
From 4db58d32e6981205ffa7c4bd04df49c181e3e468 Mon Sep 17 00:00:00 2001
From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com>
Date: Fri, 6 Oct 2023 10:33:50 -0700
Subject: [PATCH 09/10] Remove ppe entry
---
.../privacy/windows-11-endpoints-non-enterprise-editions.md | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
index c6aa96d54d..483e61d221 100644
--- a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
+++ b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
@@ -173,8 +173,7 @@ The following methodology was used to derive the network endpoints:
|||HTTPS|storesdk.dsx.mp.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
||The following endpoint is needed to load the content in the Microsoft Store app.|HTTP|storeedgefd.dsx.mp.microsoft.com|
-|Microsoft To Do|The following endpoints are used for the Microsoft To Do app.|HTTP|staging.to-do.officeppe.com|
-|||HTTP|staging.to-do.microsoft.com|
+|Microsoft To Do|The following endpoints are used for the Microsoft To Do app.|HTTP|staging.to-do.microsoft.com|
|||TLSv1.2/HTTP|to-do.microsoft.com|
|Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*|
|||HTTP|ipv6.msftconnecttest.com|
From d3b62511c42cdfdb2dbdd3b1f87b0c1647a09d02 Mon Sep 17 00:00:00 2001
From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com>
Date: Fri, 6 Oct 2023 10:35:17 -0700
Subject: [PATCH 10/10] Remove ppe entry
---
windows/privacy/manage-windows-11-endpoints.md | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md
index a56f1423b3..79bba0d70f 100644
--- a/windows/privacy/manage-windows-11-endpoints.md
+++ b/windows/privacy/manage-windows-11-endpoints.md
@@ -123,8 +123,7 @@ To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connec
|||HTTP|share.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
|Microsoft To Do|||[Learn how to turn off traffic to all of the following endpoint(s) for Microsoft To Do.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
-||The following endpoints are used for the Microsoft To Do app.|HTTP|staging.to-do.officeppe.com|
-|||HTTP|staging.to-do.microsoft.com|
+||The following endpoints are used for the Microsoft To Do app.|HTTP|staging.to-do.microsoft.com|
|||TLSv1.2/HTTP|to-do.microsoft.com|
|Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s) for Network Connection Status Indicator (NCSI).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)|
||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the internet, and the network status tray icon will show a warning.|HTTPS|www.msftconnecttest.com*|